Smartphone security - what's the risk?
Every week there are countless stories about smartphone security breaches, mobile malware and cloud services that have been hacked or compromised in some way. We all use our smartphones to store personal and sensitive information – emails, messages, pictures, bank account details, password lists and more – that you really wouldn’t want to fall into the wrong hands. With cloud services (e.g. iCloud, Dropbox and Google Drive) being tightly integrated into smartphones coupled with the increasing amount of digital data, smartphones present the bad guys with a very real opportunity to steal your personal information and invade your privacy.
As smartphone users, we place our trust in the hardware manufacturers and mobile networks, as well as the websites and applications that we use daily. And we have the right for our information to be secure and not misused in any way. Unfortunately viruses, malware, trojan horses and other security threats are a reality today, but one that everyone hopes they don’t have to deal with.
Government spyware
As highlighted by the Snowden intelligence leaks in the last few years, it seems that even government agencies are complicit in trying to pry information from our smartphones. But it’s not just the NSA that is to blame – recent incidents in the headlines include the Indian Air Force branding Xiaomi smartphones a threat (due to alleged snooping by the Chinese government), and hidden spyware apps targeting protestors in the pro-democracy “Occupy Central” movement in Hong Kong.
You might trust your own government if you have nothing to hide, but would you buy a Chinese phone knowing that the government might have a backdoor to all your activities? In most cases, I’m sure there is little risk that Big Brother is interested in the average smartphone user, but you just might be exposing your location, spending habits, email messages, contact details and much more.
Beyond the law
In last month’s iCloud celebrity photo leak, Apple insisted that the service itself was not hacked, but that weak passwords were exploited by the attackers. Since the incident, Apple extended its more secure two-step verification to 60 countries, so that users would have to confirm activity such as logging in on new devices with an additional security step.
Apple has also enabled encryption by default in iOS 8 (unlike Android where it is off by default), which makes it more difficult for the authorities to obtain information from your smartphone, even with a court order and lawful intercept – Apple claims that it cannot decrypt your data even if they wanted to.
Attorney General Eric H. Holder Jr. said that this would endanger criminal investigations and the FBI Director James Comey expressed concern that technology companies could “market something expressly to allow people to place themselves beyond the law”. But what’s the solution? If there was a backdoor into everyone mobile operating system for the authorities to use, then it would eventually be exploited by attackers too.
Mobile tower eavesdropping
According to a recent article by the BBC, around the country are special mobile phone towers setup by governments to find out who is walking by and what they are up to. “The British government will not even acknowledge that they use them. We know they do, but they won’t even acknowledge that. The FBI does acknowledge that they use them, but is very secretive about how”, said security expert Bruce Schneier.
And then there was the revelation in June this year by Vodafone about the existence of “secret wires” that allow governments to listen in directly, in 29 of the countries in which it operates. Vodafone wouldn’t reveal which countries require this direct access to avoid its employees being harassed by governments. You can read more from Vodafone in their Law Enforcement Disclosure Report.
Smartphone security threats
According to Kaspersky Labs’ analysis, adware is the most prevalent type of mobile malware at 26.7% in Q2 2014, followed by trojan SMS messages at 22%. As you can see in the threat distribution chart below, there is a wide variety of malware that behaves in many different ways – some of it is intended to capture your financial details such as credit card information (for example, a custom keyboard that records your keystrokes), while others are more harmless and simply redirect the phone’s browser to sites encouraging you to sign up to special deals.
Even the latest wave of wireless payment systems are not immune to attack – in the US this week, CurrentC was hacked and user email addresses were possibly stolen. In this case, it may play into Apple’s corner to promote Apple Pay as the more secure option, but it doesn’t exactly inspire confidence in wireless payments in general.
Unfortunately at least until 2013, Android users were at much higher risk from malware and viruses than iOS, with a massive 98.05% share. This may be partly because Android has a higher market share than iOS, but it’s also likely that many Android users don’t install any additional security software beyond what’s already provided natively by Android. It’s only recently that companies such as Samsung have deemed to include built-in virus and malware protection, such as its “safe for work” Knox security software.
Despite this seemingly alarming statistic for Android, it’s estimated that only 0.001% of apps can evade Google’s 7 layers of security measures, which means that even though it’s definitely out there it’s not a serious problem for most users. In actual fact, Symantec published a report in 2013 in which they had discovered 387 security holes in iOS and only 13 in Android. The report makes for very interesting reading.
Google will shortly release the next version of Android (“Lollipop”) that includes important security improvements which will be enabled by default. The new features include a better lock screen to prevent people accessing the device, encryption, and Device Manager features to find or wipe a device that has been lost – in other words, a kill switch.
I don’t think it’s realistic that the average person should care about security – Adrian Ludwig, head of Android security at Google
The recent comment made by Ludwig seems distinctly out of place coming from the head of Android security – of course the average person should care about smartphone security, but they shouldn’t have to go to the effort of manually configuring dozens of obscure options to get it to work.
Securing your personal information
Besides taking precautions such as being careful about what websites you visit and which apps you install (and having adequate security software), how else could you ensure that your personal data is safe and secure?
You could in fact use a smartphone whose makers claim is the world’s most secure mobile device. The Blackphone uses a custom operating system called PrivatOS which is derived from Android (and so feels similar to many Android devices) but with much more focus on security.
“Blackphone offers a simple and secure starting point for communication. We combine a customized operating system, PrivatOS, with leading apps all designed to optimize privacy. It is built from the ground up to be secure by design” – Blackphone website
The phone has a comparable specification to many mid- to high-tier Android smartphones including a 4.7 inch screen and quad-core CPU, but also includes features such as encrypted phone calls and emails, secure search and browsing, and anonymous cloud based storage.
Despite the fact that the Blackphone was hacked in August, PrivateOS was updated just this week with various improvements – so let’s hope they’ve already fixed the security flaws found by the hacker.
For most people however, it’s not necessary to resort to the world’s most secure phone. But its existence does help to raise awareness of security and privacy issues, and might lead to at least some of those features becoming available on standard Android devices in the future. With more smartphones adding biometric sensors such as fingerprint scanners, plus better encryption and security software, the smartphone manufacturers seem to be getting increasingly serious about our smartphone security.
Let’s just hope that malware, cloud security breaches and government surveillance don’t further erode consumer confidence in smartphone security to the point where we eventually become afraid to use them. To answer the original question about whether smartphone users are risking their security and privacy – undoubtedly there are some risks, but in most circumstances anyone that is careful and takes a few sensible precautions (such as avoiding untrusted apps, not storing bank account details in plain text files, and using a strong password to keep their phone locked) should be safe enough.
For anyone concerned about smartphone security, there are some great tips on the Kaspersky website.